<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <title>Connecting over SSL</title>
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-base.css" />
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-medium.css" />

 </head>
 <body class="docs"><div class="navbar navbar-fixed-top">
  <div class="navbar-inner clearfix">
    <ul class="nav" style="width: 100%">
      <li style="float: left;"><a href="mongo.connecting.html">« Connecting</a></li>
      <li style="float: right;"><a href="mongo.connecting.auth.html">Authentication »</a></li>
    </ul>
  </div>
</div>
<div id="breadcrumbs" class="clearfix">
  <ul class="breadcrumbs-container">
    <li><a href="index.html">PHP Manual</a></li>
    <li><a href="mongo.connecting.html">Connecting</a></li>
    <li>Connecting over SSL</li>
  </ul>
</div>
<div id="layout">
  <div id="layout-content"><div id="mongo.connecting.ssl" class="section">
  <h2 class="title">Connecting over SSL</h2>
  <p class="para">
   The driver supports connecting to <a href="https://docs.mongodb.com/manual/tutorial/configure-ssl/" class="link external">&raquo;&nbsp;MongoDB over SSL</a>
   and can optionally use <a href="" class="link">SSL Stream Context</a> options to provide more details,
   such as verifying certificates against specific certificate chain, or authenticate to
   <a href="https://docs.mongodb.com/manual/tutorial/configure-x509/" class="link external">&raquo;&nbsp;MongoDB using X509 certificates</a>.
  </p>

  <div class="example" id="mongo.connecting.context.ssl">
   <p><strong>Example #1 Connect to MongoDB Instance with SSL Encryption</strong></p>
   <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br />$mc&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(</span><span style="color: #DD0000">"mongodb://server1"</span><span style="color: #007700">,&nbsp;array(</span><span style="color: #DD0000">"ssl"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
   </div>

  </div>

  <div class="example" id="mongo.connecting.context.ssl.verify">
   <p><strong>Example #2 Connect to MongoDB Instance with SSL Encryption, verifying it is who we think it is</strong></p>
   <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br />$SSL_DIR&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"/vagrant/certs"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$SSL_FILE&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"CA_Root_Certificate.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$ctx&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">(array(<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"ssl"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;array(<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">/*&nbsp;Certificate&nbsp;Authority&nbsp;the&nbsp;remote&nbsp;server&nbsp;certificate&nbsp;must&nbsp;be&nbsp;signed&nbsp;by&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"cafile"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">$SSL_DIR&nbsp;</span><span style="color: #007700">.&nbsp;</span><span style="color: #DD0000">"/"&nbsp;</span><span style="color: #007700">.&nbsp;</span><span style="color: #0000BB">$SSL_FILE</span><span style="color: #007700">,<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">/*&nbsp;Disable&nbsp;self&nbsp;signed&nbsp;certificates&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"allow_self_signed"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">,<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">/*&nbsp;Verify&nbsp;the&nbsp;peer&nbsp;certificate&nbsp;against&nbsp;our&nbsp;provided&nbsp;Certificate&nbsp;Authority&nbsp;root&nbsp;certificate&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"verify_peer"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">,&nbsp;</span><span style="color: #FF8000">/*&nbsp;Default&nbsp;to&nbsp;false&nbsp;pre&nbsp;PHP&nbsp;5.6&nbsp;*/<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/*&nbsp;Verify&nbsp;the&nbsp;peer&nbsp;name&nbsp;(e.g.&nbsp;hostname&nbsp;validation)&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/*&nbsp;Will&nbsp;use&nbsp;the&nbsp;hostname&nbsp;used&nbsp;to&nbsp;connec&nbsp;to&nbsp;the&nbsp;node&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"verify_peer_name"&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">/*&nbsp;Verify&nbsp;the&nbsp;server&nbsp;certificate&nbsp;has&nbsp;not&nbsp;expired&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"verify_expiry"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">,&nbsp;</span><span style="color: #FF8000">/*&nbsp;Only&nbsp;available&nbsp;in&nbsp;the&nbsp;MongoDB&nbsp;PHP&nbsp;Driver&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">),<br />);<br /><br /></span><span style="color: #0000BB">$mc&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"mongodb://server1"</span><span style="color: #007700">,&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;array(</span><span style="color: #DD0000">"ssl"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">),&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;array(</span><span style="color: #DD0000">"context"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
   </div>

   <blockquote class="note"><p><strong class="note">Note</strong>: 
    <p class="para">
     The <code class="literal">&quot;verify_peer_name&quot;</code> is new in PHP 5.6.0. The
     MongoDB driver as of 1.6.5 however has backported this feature into the
     driver itself, so it works with PHP 5.3 and 5.4 too
    </p>
   </p></blockquote>
  </div>


  <div class="example" id="mongo.connecting.context.ssl.certificate">
   <p><strong>Example #3 Connect to MongoDB Instance that Requires Client Certificates</strong></p>
   <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br />$SSL_DIR&nbsp;&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"/vagrant/certs"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$SSL_FILE&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"CA_Root_Certificate.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$MYCERT&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #DD0000">"/vagrant/certs/ca-signed-client.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$ctx&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">(array(<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"ssl"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;array(<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"local_cert"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">$MYCERT</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">/*&nbsp;If&nbsp;the&nbsp;certificate&nbsp;we&nbsp;are&nbsp;providing&nbsp;was&nbsp;passphrase&nbsp;encoded,&nbsp;we&nbsp;need&nbsp;to&nbsp;set&nbsp;it&nbsp;here&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"passphrase"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #DD0000">"My&nbsp;Passphrase&nbsp;for&nbsp;the&nbsp;local_cert"</span><span style="color: #007700">,<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #FF8000">/*&nbsp;Optionally&nbsp;verify&nbsp;the&nbsp;server&nbsp;is&nbsp;who&nbsp;he&nbsp;says&nbsp;he&nbsp;is&nbsp;*/<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"cafile"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">$SSL_DIR&nbsp;</span><span style="color: #007700">.&nbsp;</span><span style="color: #DD0000">"/"&nbsp;</span><span style="color: #007700">.&nbsp;</span><span style="color: #0000BB">$SSL_FILE</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"allow_self_signed"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"verify_peer"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"verify_peer_name"&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"verify_expiry"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">true</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;),<br />));<br /><br /></span><span style="color: #0000BB">$mc&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"mongodb://server1/?ssl=true"</span><span style="color: #007700">,&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;array(),&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;array(</span><span style="color: #DD0000">"context"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
   </div>

  </div>

  <div class="example" id="mongo.connecting.authenticate.ssl.x509">
   <p><strong>Example #4 Authenticating with X.509 certificates</strong></p>
   <div class="example-contents"><p>
    The username is the <code class="literal">certificate subject</code> from the X509, which can be extracted like this:
   </p></div>
   <div class="example-contents">
<div class="shellcode"><pre class="shellcode">openssl x509 -in /vagrant/certs/ca-signed-client.pem -inform PEM -subject -nameopt RFC2253</pre>
</div>
   </div>

   <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br />$ctx&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">(&nbsp;array(<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"ssl"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;array(<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">"local_cert"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #DD0000">"/vagrant/certs/ca-signed-client.pem"</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;)<br />)&nbsp;);<br /><br /></span><span style="color: #0000BB">$mc&nbsp;</span><span style="color: #007700">=&nbsp;new&nbsp;</span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">'mongodb://username@server1/?authSource=$external&amp;authMechanism=MONGODB-X509&amp;ssl=true'</span><span style="color: #007700">,&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;array(),&nbsp;<br />&nbsp;&nbsp;&nbsp;&nbsp;array(</span><span style="color: #DD0000">"context"&nbsp;</span><span style="color: #007700">=&gt;&nbsp;</span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
   </div>

   <div class="example-contents"><p>
    Where <code class="literal">username</code> is the certificate subject.
   </p></div>
  </div>

  <div class="simplesect">
   <h3 class="title">Changelog</h3>
   <table class="doctable informaltable">
    
     <thead>
      <tr>
       <th>Version</th>
       <th>Description</th>
      </tr>

     </thead>

     <tbody class="tbody">
      <tr>
       <td>1.5.0</td>
       <td>
        Added support for X509 authentication.
       </td>
      </tr>

      <tr>
       <td>1.4.0</td>
       <td>
        Added support for connecting to SSL enabled MongoDB.
       </td>
      </tr>

     </tbody>
    
   </table>

  </div>

 </div></div></div></body></html>